General Data Protection Regulations (GDPR)

by Andrew Dancy

The General Data Protection Regulations ("GDPR" for short) have been in the news a lot recently. But what are the new rules and how do they affect your business?

The background

In 1995 the European Commission published the Data Protection Directive. This required all EU member states to implement their own data protection legislation to ensure that the personal data of their citizens was being appropriately protected, and to ensure that citizens were guaranteed specific rights to both know what data was being held on them by third parties and to be able to require that data to be corrected or deleted where appropriate.

However in subsequent years the rapid development of social media, smartphones and the continuing evolution of the Internet showed that the existing legal protections were not adequate. As a result the European Commission proposed a new regulation - the General Data Protection Regulations. Unlike with the previous Data Protection Directive which allowed individual EU members to implement the rules in their own way, the GDPR Regulations were to be implemented as a single EU-wide regulation on a single date: the 25th May 2018.

One of the key objectives of GDPR was to extend the existing data protection regime in Europe to ensure that all EU citizens had the same level of protection regardless of whether their data was being handled or processed by an EU business or a non-EU business. The commission stated that their aim was to ensure that all citizens had a standard set of "digital rights" in an age where personal data was increasingly key to the digital economy of the future.

Why is GDPR important?

GDPR is important for all businesses due to both the wide scope of the Regulations but also because of the significant penalties for non-compliance. In the case of severe breaches fines can reach the higher of either €20m or 4% of global turnover.

GDPR also extends the scope of potential liability for any breach of data. Previously there was a distinction between data "controllers" who actually owned data and data "processors" who were contracted by the controller to do something with that data. The former could be liable for any loss or misuse of personal data but not the latter. However under GDPR both the controller and the processor will be joint and severally liable. This means that either or both parties can be sued by affected individuals or fined by regulators.

Since many businesses in the technology sector are likely to be processors this means that under GDPR those businesses will now have a potential liability which they didn't previously have!

What does GDPR actually require?

GDPR sets out a number of obligations on anyone that is controlling or processing data. This is not intended to be an exhaustive guide, but the basic requirements are as follows:

Know what data you control and where you got it from

For any data you control or process ensure that you are doing so on a "lawful basis" (this is explained further later on)

Take suitable measures to protect any data you control or process and to mimise any risks to that data

Where you subcontract any processing of data you control you must ensure the processor is working to equivalent standards of protection

Where you hold "personal" or "sensitive" data you must take additional steps to ensure the protection of that data. Personal data is widely drawn - even an email address or an IP address can be considered to be personal data!

Where an individual requests so, you must provide a copy of any data you hold on them quickly and in a suitable machine-readable form ("data portability")

Where an individual requests you do so, you must remove any data you hold on them (the "right to be forgotten")

"Lawful Basis"

"Lawful Basis" is one of the most important parts of GDPR. Essentially it requires that any data that is collected or processed must be done so on a lawful basis. If there is no lawful basis then the data cannot be collected or processed and must be destroyed.

There are a number of different scenarios that count as lawful basis:

Where the user has explicitly consented to your collection and processing of their data. This is the most common lawful basis and is also a fairly easy one to satisfy. You must tell the user clearly and unambiguously what data you are going to collect and why you are doing so. You must then give the user an opportunity to opt in to such collection (note this must be opt-in and not opt-out)

Where you need to collect data in order to fulfil a contract. This is also likely to be a common lawful basis and is intended to allow the collection and processing of data for common situations such as an online shop selling goods or services. In this situation the customer has entered into a contract by buying goods or services, so it would be legitimate to collect billing and shipping information and pass it on to a credit card processor, as this is neccesary to actually fulfil that contract. However using this data for a different purpose (such as marketing) would not be a lawful basis as it would not be neccessary in order to fulfil the contract

Where required by law. There may be some situations where data must be collected and processed because it is required by law. A good example would be that banks and financial institutions are often required by law to keep certain records for up to 6 years

Where there is a vital interest. This lawful basis is unlikely to be encountered in the business world as it is intended for life or death emergencies and would cover the processing of data by institutions such as the emergency services

Where required for a public task. This is also unlikely to be encountered as it is intended to allow Government departments or other official bodies to be able to collect and process data in order to do their jobs. Examples might include law firms who need to collect and process data in order to provide a service such as going to court

Finally there is 'legitimate interest'. This is deliberately drawn up to be quite vague but essentially allows for the collection and processing of data is there is an overriding legitimate interest in doing so. A good example would be if an individual has asked they not receive marketing emails from a business then there would be a legitimate interest in keeping that person's email address to ensure that marketing emails are not sent to that person, rather than deleting that person's data completely and thus risking accidentally emailing them in the future. However there is a high bar for legitimate interest - it must be in the overriding interest of the individual and not just because it is convenient to the company

It is also worth noting that where the data being collected or processed is "sensitive" (basically anything to do with race, religion, sexual preference, political affiliation, medical records or trade union membership) then a much stricter set of lawful basis requirements apply - basically you can only collect or process such data where there is explicit consent from the user, is in the overwhelming public interest or it is required by law.

What about Reincubate?

To find out more about Reincubate's rights and obligations under GDPR please see our privacy policy.